(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREATY (PCT) 



CORRECTED VERSION 



(19) World Intellectual Property Organization 
International Bureau 

(43) International Publication Date 
10 August 2000 (10.08.2000) 




PCT 



iiiiiiiiiiniuuiiiiiiiiiiii 

(10) International Publication Number 

WO 00/46681 Al 



(51) International Patent Classification 7 : G06F 13/00 

(21) International Application Number: PCT/USOQ/03489 

(22) International Filing Date: 8 February 2000 (08.02.2000) 

(25) Filing Language: English 

(26) Publication Language: English 



(30) Priority Data: 
09/248,370 
60/153,901 



8 February 1999 (08.02.1999) US 
14 September 1999 (14.09.1999) US 



(63) Related by continuation (CON) or continuation-in-part 
(CIP) to earlier applications: 

US 09/248,370 (CIP) 

Filed on 8 February 1999 (08.02.1999) 



US 

Filed on 



60/153,901 (CIP) 
14 September 1999 (14.09.1999) 



(71) Applicant (for all designated States except US): 
GEOTRUST, INC. [US/US]; Suite 20, 40 Washing- 
ton Street, Wellesley Hills, MA 02481 (US). 

(72) Inventors; and 

(75) Inventors/Applicants (for US only): COULTHARD, 
Christopher, M. [GB/US]; 88 Park Avenue #402, Arling- 
ton, MA 02476 (US). MCLEOD, Scott, C. [US/US]; 24 
Carriage Drive, Chelmsford, MA 01824 (US). NORMAN, 
Peter, D. [US/US]; 56 Palmer Street, Arlington, MA 02174 
(US). WILLOUGHBY, Kevin [US/US]; 10 Church Street, 
Framingham, MA 01702 (US). HODGMAN, Rod, G. 
[US/US]; 465 Robinson Road, Boxborough, MA 01719 

[Continued on next page J 



= (54) Title: CONTENT CERTIFICATION 



00 
SO 



o 



ESTABLISH 
CERTIFICATION 
CRITERIA 



CERTIFY 
RECEIVED 
CONTENT 



DISTRIBUTE 
CONTENT 



■140 



■142 



(57) Abstract: A method of processing content includes storing verifi- 
cation information corresponding to certified content at a first computer 
(140) and receiving a verification request corresponding to content from a 
second computer (142). The method also includes determining a verifica- 
tion information for the content corresponding to the verification request 
and comparing the determined verification information with the stored 
verification information (146). 



M44 



VERIFY CONTENT 
HAS BEEN 
CERTIFIED 



M46 



WO 00/46681 Al I II III IIIIUI! EI 1IIUI IIIU llll 1 1! Ill IEIII IIM lllll l!II IIIIID III] IIII Dll 



(US). ROSENBERG, Jonathan [— /USJ; 11 Seton Hill 
Road, Aubumdale, MA 02466 (US). 

(74) Agents: LEE, G., Roger et al.; Fish & Richardson P.C., 
225 Franklin Street, Boston, MA 02110-2804 (US). 



(81) Designated States (national): AE, AL, AM, AT, AU, AZ, 
BA, BB, BG, BR, BY, CA, CH, CN, CR, CU, CZ, DE, DK, 
DM, EE, ES, FI, GB, GD, GE, GH, GM, HR, HU, ID, IL, 
IN, IS, JP, KE, KG, KP, KR, KZ, LC, LK, LR, LS, LT, LU, 
LV, MA, MD, MG, MK, MN, MW, MX, NO, NZ, PL, PT, 
RO, RU, SD, SB, SG, SI, SK, SL, TJ, TM, TR, IT, TZ, UA, 
UG, US, UZ, VN, YU t ZA, ZW 



(84) Designated States (regional): ARIPO patent (GH, GM, 
KE, LS, MW, SD, SL, SZ, TZ, UG, ZW), Eurasian patent 
(AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), European patent 



(AT, BE, CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, IT, LU, 
MC, NL, PT, SE), OAPI patent (BF, BJ, CF, CG, CI, CM, 
GA, GN, GW, ML, MR, NE t SN, TD, TG). 

Published: 

— with international search report 

. (48) Date of publication of this corrected version: 

20 September 2001 

(15) Information about Correction: 

see PCT Gazette No. 38/2001 of 20 September 2001, Sec- 
tion n 

For two-letter codes and other abbreviations, refer to the "Guid- 
ance Notes on Codes and Abbreviations " appearing at the begin- 
ning of each regular issue of the PCT Gazette. 



WO 00/46681 



PCT/USOO/03489 



CONTENT CERTIFICATION 

5 

Reference to Related Applications 
This application relates to pending U.S. application Serial No. 
09/248,370, entitled "Content Certification", filed on February 8, 1999 and U.S. 
Provisional Application Number 60/153,901 filed September 14, 1999. These 
10 applications are incorporated by reference in their entirety herein. 

Background of the Invention 
The Internet and the World Wide Web have made information 
dissemination fast, easy, and cheap. Postings from both businesses and 

15 individuals have contributed to the wealth of available information. 

Unfortunately, the available information is sometimes of dubious value. For 
example, in 1998 a news agency accidentally posted a pre-written obituary of 
Bob Hope on its Web-site. Congress held a moment of silence in his honor. The 
report of Mr. Hope's demise, however, was greatly exaggerated. Other Internet 

20 postings have been less innocuous such as the accidental pre-release of economic 
data by the U.S. Bureau of Labor and Statistics. 

In addition to accidental postings, some information available on the 
Internet, purporting to be from official sources, includes intentionally fabricated 
data or malicious statements. As a result, users tend to be somewhat skeptical of 

25 information accessed from the Internet Additionally, some businesses, wary of 
potential liability or embarrassment, have begun to err on the side of safety and 
withhold information from Internet publication. These factors combine to reduce 
the effectiveness of the Internet as a communication medium. 
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Summary of the Invention 
In general, in one aspect, a method of processing content includes 
5 storing verification information corresponding to certified content at a first 
computer and 

receiving a verification request corresponding to content from a second computer. 

The method determines verification information for the content corresponding to 

the verification request and compares the determined verification information 
10 with the stored verification information. 

Embodiments may include one or more of the following features. The 

method may feature receiving content certification criteria that can be used to 

determine whether content should be certified. The content certification criteria 

can be a list of required approval or programmed logic. The method may also 
15 feature storing certification information (e.g., a type of certification granted, 

entities approving certification, and when the content was certified). The 

verification information can include information derived from the content such as 

at least one hash key. 

The verification request can include a URL. This can enable 
20 determination of verification information by collecting content from the URL 

included in the verification request 

The verification request can include content. This can enable 

determination of verification information by determining verification information 

for the content included in the verification request. 
25 The verification request can include verification information. This 

can enable determination of verification information by merely using information 

included in the verification request 
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Receiving a verification request may be produced by user interaction 
with a certification indicator, for example, a certification indicator included in the 
content 

5 The certification indicator can include a graphic image having associated 

instructions that produce a verification request The method may further include 
transmitting certification information to the second computer. 

The content may include graphics, text, animation, sound, and 
instructions. The content may form a web-page. 
1 0 The comparing may include issuing verification requests to connected 
certification servers. 

In general, in another aspect, a method includes presenting an 
indication that content is certified and receiving user input requesting 
certification verification of the content The method further includes transmitting 
15 a certification verification request to a certification server and receiving 
information indicating whether the content has actually been certified. 

Embodiments may include one or more of the following features. 
Presenting an indication may include presenting a user interface control. The 
method may further include displaying information included in the information 
20 received (e.g., content authorship, revision number, expiration date, and type of 
certification). 

Transmitting a certification verification request may include 
transmitting verification information determined from the content such as one or 
more hash keys. Transmitting a certification verification request may include 
25 transmitting information included in the content 

Transmitting a certification verification may include transmitting a URL. 

In general, in another aspect, a method of controlling content 
distribution includes receiving certification criteria for content to be distributed, 
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identifying content to be distributed, and determining whether the identified 
content satisfies the received certification criteria. 

Embodiments may include one or more of die following features. 
Identifying content may include receiving a request for content at a server. 

5 Identifying content may include collecting content from a set of locations. 
Determining whether the content satisfies the certification criteria may include 
identifying at least one digital signature associated with the content and/or 
determining verification information (e.g., a hash key) for the content 

Advantages may include one or more of the following features. The 

1 0 techniques provide users with a simple and intuitive method of verifying that 
content (e.g., a web-page) has been certified by an organization. Verification can 
be a mouse-click away when content includes a certification indicator. 
Underlying mechanisms protect the verification process from falsification and 
tampering. These mechanisms enable users to trust the authenticity of displayed 

15 content 

The techniques also enable an organization to carefully define 
certification procedures that content must undergo before certification and 
distribution. Automating these certification procedures enables an organization 
to vigilantly control the quality and reliability of information provided. 
20 Different implementation architectures permit distribution of 

certification functions across different computers and potentially speeding 
certification verification. 

Other advantages of the invention will become apparent in view of the 
following description, including the figures, and the claims. 

25 

Brief Description of the Drawings 
FIG. 1 is a screenshot of content that includes a certification indicator. 
FIG. 2 is a screenshot of information that verifies content certification. 
FIG. 3 is a flowchart of a process for certifying content 
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FIG. 4 is a flow diagram of a certification and certification 
verification of content. 

FIG. 5 is a flowchart of a certification procedure. 

FIG. 6 is a block diagram of a certification scheme. 
5 FIGS. 7 A and 7B are screenshots of user interfaces for submitting 

content for certification. 

FIG. 8 is a flow diagram of content certification. 

FIG. 9 is a flowchart of content certification. 

FIG. 10 is a diagram of information stored at a certification server. 
10 FIG. 1 1 is a diagram of digital signature blocks issued for certified 

content 

FIG. 12 is a block diagram of a certification server and certified 

content 

FIGS. 13-14 are flowcharts of processes for monitoring posted 

15 content 

FIGS. 15-16 are screenshots of graphical user interfaces that include 

certification indicators. 

FIG. 17 is a diagram of a certification verification request 
FIGS. 18-22 are flowcharts of processes for certification verification. 
20 FIG. 23 is a flowchart of a process for creating multiple certification 

servers. 

FIG. 24 is a block diagram of a hierarchy of certification servers. 

FIG. 25 is a flowchart of a certification verification process using 
multiple certification servers. 
25 FIG. 26 is a block diagram of franchisee certification servers. 

FIG. 27 is a flowchart of a process for transmitting content to a 
franchisee server. 

FIG. 28 is a flowchart of a process for updating content offered by a 
franchisee server. 



-5- 



WO 00/46681 PCT/US00/03489 



FIG. 29 is a screenshot of a browser's display of an Internet page. 

FIGS. 30-36 are screenshots of different persistent displays that notify 
a user whether content is certified. 

FIGS. 37, 39, 41, and 43 are diagrams of systems for validating 
5 content certification. 

FIGS. 38, 40, and 44 are flow-charts of processes for validating 
content certification. 

FIG. 42 is a diagram of a manifest of web-page contents. 

FIG. 45 is a diagram of a certification server and a validation server. 

10 

Description of the Preferred Embodiments 

Introduction 

Referring to FIG. 1, a browser's graphical user interface 100 (e.g., 
1 5 Netscape™ Navigator™) presents content 104 provided by a resource (e.g., a file) 
at a URL (Universal Resource Locator) 102. The content 104 can include 
graphics, text, animation, sound, instructions (e.g., Java Applets), etc. A URL 
1 02 can refer to a location on a remote computer that stores the content 104 as 
data and presentation instructions. The presentation instructions and data can be 
20 in a variety of formats such as HTML (HyperText Markup Language), XML 
(Extensible Markup Language), PDF (Portable Document Format), JPEG (Joint 
Photographic Experts Group), and MPEG (Moving Picture Experts Group). 
When a browser requests content 104 from a URL 102 resource, a remote 
computer providing the resource can transmit the content 104 to a browser for 
25 presentation. As shown, the browser is an independent application, however, 
other applications (e.g., an e-mail program, a word processor, or a spread-sheet) 
can incorporate functions traditionally performed by the browser. 

As shown in FIG. 1, the browser display 100 includes a certification 
indicator 106. The indicator 106 provides a simple method of ensuring that the 
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content 104 presented has undergone a certification process. Content 104 may 
include one or more certification indicators 106 (e.g., "Certified by the Legal 
Department 11 and "Certified by the Marketing Department"). As shown, the 
indicator 106 is a user interface control that has a graphic image, however, 
5 different implementations can present the control to a user as text, sounds, or by 
using other user interface techniques. User selection of the indicator 106 (e.g., 
using a mouse or other pointing device to click on the graphic image) initiates a 
certification verification process that can confirm that the content presented is the 
same content that has undergone the certification process claimed by the 

10 certification indicator 106. 

Referring to FIG. 2, the certification verification process can produce 
a window 108 that includes a display of information describing the content's 104 
certification such as the entities that have approved the content 1 14, when such 
approval occurred 1 16, the version number 118, etc. Other user interface 

15 techniques can notify a user of certification. For example, a user interface can 
play voice data provided by a person who certified the data (e.g., "This web-page 
was approved by John Doe on February 8, 1999"). 

FIGS. 1 and 2 illustrate a simple and intuitive interface that ensures 
presented content is genuine. Underlying mechanisms protect the verification 

20 process from being falsified or mimicked. These mechanisms enable users to 
trust the authenticity of displayed content and provide web administrators with a 
tool for controlling content offered by a site. 

Referring to FIG. 3, a certification process permits an entity (e.g., 
business, organization, or individual) to establish certification criteria 140. For 

25 example, a business can list employees that must approve submitted content 1 42 
before it receives certification. After certification and distribution 144 of content 
(e.g., by posting the content on an Intranet, Extranet, or Internet site or e-mailing 
the content to recipients), mechanisms can verify 146 that the content presented 
to a user satisfies the criteria required for certification 140 and has not been 
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altered since certification. The process can then present certification information 
such as the entities that approved the content Thus, users can view unforgeable 
information detailing the certification process undergone by content prior to 
distribution. 

5 Referring to FIG. 4, an illustrative implementation uses a certification 

server 124 that includes instructions 126 for certifying submitted content 122. 
The certification instructions 126 can enforce certification criteria (e.g., all 
content must be approved by the legal department). The certification server 124 
can include a database 128 for storing verification information determined from 

10 certified content The verification information includes data that identifies the 
certified content such as a URL, compressed or uncompressed portions of the 
content, and/or an assigned identification number. The verification information 
may also include one or more hash keys (e.g., an MD5 hash and an SHA hash). 
A hash key is produced by a one-way function and typically requires little storage 

15 space (e.g., 160-bits). Hash keys are nearly guaranteed to be unique for any 
given content. 

The database 128 can also store certification information such as the 
type of certification (e.g., the Legal Department), entities certifying the 
document, when certification occurred, when certification expires, the version of 

20 the certified content, etc. Certification information and verification information 
are not mutually exclusive categories. A piece of data may be both certification 
information and verification information. 

As shown in FIG. 4, the certification server 124 also includes 
instructions 132 for processing requests 134 for certification verification. To 

25 verify certification, the instructions 132 can compare the verification information 
130 stored during certification to verification information determined for the 
content being verified. A match indicates the content has undergone a 
certification process and has not been altered since. The certification server 124 
can transmit information confirming certification of the content in question, for 
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example, by dynamically generating HTML instructions that includes 
certification information. An administrator can revoke certification by simply 
deleting or altering information in the database 128. 

5 Defining a Certification Procedure 

Referring to FIG. 5, an organization can use an interface to define 
different certifications 148 and criteria for granting the certifications 150 to 
submitted content. The criteria can include a simple list of employees that must 
approve submitted content Criteria can also include programmed logic that tests 

10 for satisfaction of different conditions. The ability to program criteria enables a 
business to define certification processes that reflect a commitment to distributing 
thoroughly reviewed content 

Referring to FIG. 6, one possible certification scheme 152 uses 
different certification levels. As shown, the levels include site-wide certification 

15 154, class certification 156-158, and individual certification 160-164. Each 
defined certification can include its own granting criteria. For example, to obtain 
site-wide certification, content must first receive certification from the Legal 
Department 156, the Marketing Department 158, and the company's CEO 164. 
Similarly, to receive Legal Department certification 156, at least two members of 

20 the legal department and a text-scanning program that looks for certain phrases 
must approve the content As shown, the certification criteria can include 
different levels of abstraction. For example, instead of requiring certification 
from a particular named person, certification criteria can be more abstractly 
expressed, for example, as a role 162 (e.g., chief attorney) within an organization. 

25 This enables certification to continue as different persons fill positions. 

The criteria for certification may include different levels of approval. 
For example, Marketing Department certification 158 may only require that each 
member of the marketing department receives content for review, while Legal 
Department certification may require that each member affirmatively indicates 
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approval of the content Additionally, certification may be sought for internal 
(e.g., on an Intranet) or external publication (e.g., on the Internet). The criteria 
for .external publication can be stricter than the criteria for internal publication. 
The scheme 152 shown forms a hierarchy between the different 
5 certification levels 154-164. Hie hierarchical structure is a function of the 
defined criteria and is not an inherent characteristic of schemes having different 
certifications. 

Content Certification 

10 Referring to FIGS. 7A and 7B, easy-to-use graphical user interfaces 

shield users from the mechanics of submitting content for certification. For 
example, as shown in FIG. 7 A, a user can submit content via a password 
protected web-page by dragging-and-dropping content onto one or more defined 
certification controls 156, 158. A control 156, 158 receiving the content can 

15 prepare and transmit a certification request indicating the content and the 
certification desired. The certification controls 156, 158 presented can vary 
depending on the person submitting content Alternatively, as shown in FIG. 7B, 
an application toolbar 171 can include a "Certify" button 173. Selecting the 
button 173 can prepare and transmit a certification request for a document. The 

20 user interfaces of FIG. 7A and 7B are merely illustrative and other differently 
designed user interfaces could easily provide similar functions. Additionally, a 
system need not provide a graphical user interface at all, for example, by using e- 
mail to submit content for certification. 

Referring to FIG. 8, a certification request 166 includes content 168 

25 (or a reference to content) submitted for certification and other information 170 
such as the certification desired (e.g., site-wide certification or Legal Department 
certification), the content authors, and a proposed URL. The request 166 can also 
include information such as a revision number, content keywords, title, etc. (not 
shown). 
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SSL (Secure Socket Layer), S-HTTP (Secure Hypertext Transfer 
Protocol), and other secure communications techniques can protect submitted 
content from tampering during transmission. Additionally, a request 166 can 
include one or more digital signatures (not shown) that enable a receiving 
5 computer to authenticate the source of the message. While these features 
enhance security and protect content from tampering en route to the certification 
server, the certification process does not require these measures. 

The certification server 124 can process certification requests. The 
server 124 can distribute submitted content to individuals 172 that could 

10 potentially provide approval needed for certification. For example, the server 
124 can distribute content to all the members of the Legal Department when a 
request is made for Legal Department certification. Workflow software, e-mail 
daemons, and other techniques, potentially executing on computers other than the 
certification server, can also distribute content to individuals for certification. 

15 As shown in FIG. 8, after an entity 1 72 receives and reviews 

submitted content 168, the entity 172 can notify the certification server 124 of its 
approval by sending a certification message 174. The certification message 174 
can include the submitted content 168 and other information 170 included in the 
certification request. The message can also include information 174 that 

20 describes the person transmitting the certification message 174a, the type of 
certification granted 174b (e.g., a person can have the capacity to certify content 
for both the marketing and the legal departments), and a level of approval 174c 
(e.g., "for internal use only" or "for publication on the Internet"). The 
certification message 174 may also include a digital signature 176 (e.g., a 

25 Verisign™/W3C X.509 digital certificate) belonging to the individual submitting 
the certification message 174 or may include information used by other 
authentication techniques such as biometric authentication. As shown in FIG. 8, 
the certification server 124 processes received certification messages 174 with 
certifying instructions 126. 
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Referring to FIG. 9, in one implementation, the certifying instructions 
126 authenticate 178 a certification message to ensure the person claiming to 
have approved submitted content was, in fact, the person who produced the 
certification message 174. After authentication 178, the instructions 126 can 
5 determine 1 80 whether the certification message received satisfies the criteria for 
the certification requested. For example, the instructions 126 can determine 
whether John Doe's 172 certification message 174, alone or in combination with 
previously received certification messages, is sufficient to obtain Legal 
Department certification. If the received certification message 174 does not 

10 satisfy the criteria, the instructions 126 can store the received certification and 
await further certification messages. The process may store a hash for submitted 
content awaiting further certification to ensure that subsequent certification is for 
the same content as the certification already received. The process 126 can also 
attempt to certify any links or other objects referenced by the content (e.g., using 

15 W3C's manifest protocol). 

If the received certification message satisfies certification criteria, the 
instructions 126 can determine 184 verification information from the certified 
content or other information provided. For example, the instructions 126 may 
compute one or more hash keys from the certified content. In general, the 

20 verification information can include any information that can be used to identify 
the certified content. 

After storing the content's certification and verification information in 
the database 186, the instructions 126 can produce a digital signature 188 (e.g., a 
W3C DSig (Digital Signature Group) compliant signature) for the content 188. 

25 The digital signature 208 can include the computed hash 210, the content's URL 
212, or any other verification or certification information (not shown). 

After producing the digital signature 190, the instructions 126 can 
determine 190 whether the content can be dynamically modified 192 to include 
the digital signature. For example, HTML and XML permit dynamic insertion of 



-12- 



WO 00/46681 



PCT/US00/03489 



digital signatures into content (e.g., as header information or as a newly defined 
tag). Inclusion of the digital signature in the content ensures that the digital 
signature travels with the content instead of assuming the signature will remain 
paired with the content during distribution. The instructions 126 can also 

5 dynamically modify the content to include one or more certification indicators 
106. The instructions 126 can store the digital signature(s) in its database. This 
prevents database contents from being tampered with as any altered database 
information will not match the digital signature(s) stored. Finally, the content 
and digital signature(s) are distributed by storage at a URL 194, 196 or by 

10 sending back the certified content to a submitting user for distribution 
shown). 

Referring to FIG. 1 0, the certification server database 130 includes 
information corresponding to certified content. This information can include a 
URL 199, one or more hash keys 200, certifications obtained 201, the certifiers 

15 202, and a certification expiration date 203. The database 130 can also include 
the location (if any) of previous 204 or later 205 content versions. When the 
certification server 124 receives a certification verification request, the server 124 
can determine whether a user has attempted to access the most recent version of a 
document The server 124 can automatically transmit the more recent version of 

20 the document to the user. The database can include a wide variety of other 
information 207 such as a portion of the content and/or a certification expiration 
date. The database 130 can also include the location of different translations of 
content and transmit a translation based on "Preferred Language" data included in 
a certification verification request. 

25 Referring to FIG. 11, after certification, multiple digital signatures 

210a, 210b of different certifications may be associated with content. The 
different digital signatures 210a, 210b may be encrypted and identified by an 
encapsulating digital signature 208 of the certification server. 



-13- 



WO 00/46681 



PCT/US00/03489 



Referring to FIG. 12, after content certification, the certification 
server 124 database 128 stores the verification information 130 corresponding to 
certified content 168. Referring to FIG. 13, in addition to verifying certification . 
in response to verification requests, the certification process enables an 
5 administrator to enforce minimum certification requirements for posted content. 
For example, a site might define a policy that requires any content available via 
the World Wide Web to have certification from both the Legal and Marketing 
Departments. A process 300 can ensure available content meets these 
requirements 306 by determining the certification possessed by content at each 

10 URL 304 offered by a site. Determining content certification can include 

identifying and verifying digital signatures stored at the URL. Alternatively, the 
process 300 can determine verification information of a URL and compare the 
determined verification information with verification information originally 
stored during certification. Either technique ensures that employees or others do 

15 not post content without receiving sufficient certification. 

Referring to FIG. 14, enforcing certification criteria can instead occur 
at a web-server processing content requests. After receiving a request for content 
303, the web-server can determine 305 if the requested content has the 
certification required for transmission 309. If not, the web-server can notify the 

20 web-server administrator 307 that insufficiently certified content has been 
requested indicating that a link or directory has indicated the presence of the 
content on the server. This enables the administrator to quickly find content that 
should not be posted at the site. The web-server can also store information that 
specifically disavows certification for particular content. 

25 

Certification Verification 

Referring to FIG. 1 5, in one implementation, certification instructions 
dynamically modify certified content to include one or more certification 
indicators 106a, 106b. Referring to FIG. 16, certification indicators 106c, 106d 



-14- 



WO 00/46681 



PCT7USOO/03489 



may instead be paired with a listing of certified URLs 107c, 107d, for example, 
produced by a search engine. The certification indicators 106a, 106b may be 
packaged (e.g., included in the same ActiveX control or Java applet) with a 
corresponding URL 107a, 107b to prevent a certification indicator 107a, 107b 
5 from accidental or intentional pairing with a different, potentially uncertified, 
URL. Selecting an indicator 106, 106a, 106b can initiate a certification 
verification process. 

Referring to FIG. 17, initiation of the certification verification process 
can include preparing and transmitting a certification verification request 221 to a 

10 certification server. The request 221 can include, for example;, the certification 
claimed by a certification indicator 223 and verification information 225 
determined from the content presented. The request may be encrypted to prevent 
analysis. The request 221 may also include a portion of the content presented 
227 for comparison to similar information stored in the certification server. This 

15 can make "door-knob rattling" more difficult. That is, people wishing to find a 
valid hash key cannot simply submit request after request with different hash 
keys until one works. The request 221 can include other information such as the 
URL of the content, etc. 

Referring to FIGS. 18-22, certification verification can be 

20 implemented in any number of ways. Hie techniques used to verify certification 
can depend in part on functions provided by the browser (or other application) 
presenting the content in question. For example, older browsers may not accept 
or be able to process digital signatures. Additionally, a browser may not include 
instructions for determining verification information (e.g., the ability to compute 

25 an MD5 hash from presented content). 

The different certification verification techniques, nevertheless, share 
a general process 132. First, the procedures 132 determine verification 
information (e.g., computing a hash or extracting verification information from a 
digital signature) for content 220 being verified. When the determined 
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verification information matches 222, 224 the verification information originally 
determined during certification, the procedures 132 can conclude that the content 
satisfies certification criteria and has not been altered since certification. The 
procedures 132 may also check to ensure certification has not expired and that a 
5 more recent version of the document has not been certified. 

After verifying certification, fee procedures 132 can cause display of 
verification and/or certification information such as the entities that certified a 
document, when certification occurred, etc. Similarly, the procedure 132 can 
notify a user if verification fails. The procedures 132 can also cause other 

10 programmatic behavior to occur in addition to or in lieu of causing a display of 
information. A small subset of possible implementations follows. 

Referring to FIG. 19, if a browser has access to digital signalure(s) 
produced during certification and the ability to determine verification information 
from content, the browser can extract the verification information from the digital 

15 signature(s) 230, determine the verification information of the content in question 
232, and compare the two 234. A match verifies the claimed certification 236. 
This method does not require access to the certification server for certification 
verification. However, access to the certification server enables a user to 
determine if the content remains certified or has been replaced by a new version. 

20 Referring to FIG. 20, if a browser does not have access to digital 

signature(s) produced during certification but has the ability to determine 
verification information, the browser can determine the verification information 
for the content 240 (e.g, compute a hash) and send the determined verification 
information to the certification server 242. The certification server can compare 

25 244, 246 the determined verification information with the verification 

information originally determined during certification. Again, if the two match, 
the content's certification has been verified. 

Referring to FIG. 21, in some cases, content may not display a 
certification indicator. A user may, nevertheless, determine whether the content 
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received certification. In one implementation, the user can visit a certification 
server web-site 252 and enter a URL for verification 254. Instructions on the 
certification server can collect the content provided by the resource at the 
identified URL, determine verification information from the collected content 

5 256, and compare the determined verification information with stored verification 
information of certified content If the instructions find a match, the instructions 
can transmit verification and/or certification information to the user. 

Referring to FIG. 22, in another implementation, a user can simply 
transmit content in question to the certification server 266 for certification 

1 0 verification. The certification server determines verification information for the 
content 268 and can compare 270 this verification information with verification 
information stored in its database. If the certification server identifies a match 
272, the certification server can transmit the verification and/or certification 
information to a user for display 274. 

15 Each of the implementations described above enables a user to 

quickly determine whether presented content actually comes from an official 
source. This enables a user to place greater reliance on the presented information 
and can make the user more likely to return to a site. The implementations also 
enable a content provider to closely scrutinize and guard the content it distributes. 

20 

Multiple Certification Servers 

Referring to FIG. 23, the previous discussion described a single 
certification server. The techniques described can also be used with a network of 
certification servers. Certification server instructions 322 can be transmitted to 
25 different computers requesting 320 the instructions. Such transmission can occur 
after financial arrangements have been settled. Additionally, authentication may 
be performed by both the requesting and transmitting servers. 

Referring to FIG. 24, certification servers may form a hierarchy 324. 
For example, a root certification server 326 connects to different company 
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"Headquarter" certification servers. For example, server 328 may belong to 
Honda while server 330 belongs to General Motors. Each of the headquarter 
servers may connect to different divisions within a company. For example, 
server 332 may belong to Honda Motorcycles while server 334 belongs to Honda 
5 Automobiles. Although FIG. 24 illustrates a hierarchical relationship, other 
certification server topologies are possible. 

Hierarchically organized certification servers permit distribution of 
server processing and storage over a number of computers without losing the 
ability to verify content certified by any of the servers. Additionally, the 

1 0 structure permits hierarchically higher servers to control functions performed by 
lower servers. For example, a server can control whether another server is itself 
able to make a request for certification software. 

For example, referring to FIG. 25, a recursive procedure 336 can 
quickly search each certification server to verify certification of content in 

15 question. After receiving a verification request 338, a certification server can 
check its own database 340 for verification information corresponding to the 
verification request 338. If unable to find the verification information in its own 
database, the server can issue a verification request to connected servers 344. 
Eventually, a verification request will reach the server used for certification of the 

20 content 342 or all servers will return an indication that no server has certified the 
content in question. 

Other procedures can go up the hierarchy rather than down. For 
example, when a division certification server 332 receives a certification 
verification request it cannot provide, the division server 332 can issue a 

25 certification verification request to the headquarters certification server 328. 

Franchising 

A franchisor (e.g., a corporation or syndicated) often may want to 
provide content for display on its franchisee's Web-sites. For example, General 
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Motors may want local dealerships to include a national sales advertisement 
Additionally, franchisees may want to download certified content describing new 
products. 

Referring to FIG. 26, a franchisor 350 (e.g., a corporation or 
5 syndicate) can provide content to different franchisees 352, 354. Any given site 
may act as both a franchisee and franchisor (not shown). 

Referring to FIG. 27, after establishing a franchisor/franchisee 
relationship, a proxy is established at the franchisee with which the franchisor can 
communicate to manage content including refreshing and invalidating content 

10 Thereafter, a franchisee can request content from the franchisor 356. After 
authenticating the franchisee's request 357, the franchisor can send the requested 
content, digital signatures associated with the content, and verification 
information determined for the content during certification 358. The franchisee 
can store the downloaded information and provide the content to site visitors 360. 

15 Referring to FIG. 28, a franchisor can control the content offered by 

its franchisees. For example, to de-certify or update content, the franchisor can 
download replacement content or the franchisor can mark the content in the 
proxy invalid. When a franchisee receives a request for invalid content 364, the 
franchisee requests updated content from the franchisor 366. The franchisor can 

20 monitor the content offered by its franchisees by examining verification 
information corresponding to the content or the content itself. 

After downloading information from a franchisor to a franchisee Web- 
server, visitors to the franchisee can view the downloaded content The 
franchisee proxy can automatically transmit a certification verification request 

25 each time a visitor requests content. 

Requests for content can be metered by the franchisee proxy. Thus, a 
franchisor can receive reports regarding which franchisee sites reached the most 
customers. Metering data can be used for analytical purposes or even as a way to 
charge for use of content (e.g., for each web-page hit) or pay for its distribution. 
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For example, metering can be used as a way for franchisees to charge franchisors 
for distribution of content, for example, by charging a small fee for each content 
request 

5 Alerting Users of Content Validation 

FIG. 29 again shows a web-page 1 100 presented by an Internet 
browser. A user viewing the page 1 1 00 often must trust that the content-provider 
stands behind the contents and/or that the contents have not been tampered with. 
Sometimes this trust is misplaced. For example, someone may have posted the 
10 content at the business 1 web-site without appropriate approval (e.g., undergoing a 
certification process). Alternatively, some intermediate network node may have 
intercepted content as it traveled across the Internet and replaced selected 
portions. 

This application describes techniques that enable a content provider to 
15 certify content. This application also describes techniques for validating 
certification of downloaded content Such validation can include determining 
content is not certified, determining content was altered after certification, 
determining certification has expired, and/or determining certification has been 
revoked. Such validation can also include determining and authenticating the 
20 identities of entities claiming to have certified the content As shown in FIGS. 
30-36, these techniques have been embodied in a software program that can use 
graphical indicators, sound, and other notification techniques to notify a user 
whether downloaded content is certified content 

25^ Display of Certification Status 

A number of different mechanisms can notify users of whether 
downloaded content is certified content. For example, FIGS. 30 and 31 show a 
Microsoft® Windows 95 taskbar button 1 104 and tray icon 1 106 that change 
appearances based an attempt to validate certification of content displayed in an 
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active browser window. For example, the controls 1 104, 1 106 may notify a user 
of the certification status (e.g., certified, uncertified, expired, revoked, etc.) of 
content using text, graphics, color, and other display attributes. The appearance 
of the controls 1 104, 1 106 may vary in different ways for different certification 
5 statuses. For example, content that was never certified may cause the tray icon to 
display a bright red skull and cross bones to alert a user, while content having 
revoked certification may cause the tray icon to turn orange. Hie unobtrusive 
placement of the controls 1 104, 1 106 provides real-time, continual, notification 
of content certification without interfering with a user's normal browser 
10 interaction. 

FIGS. 32-35 show a number of other user notification techniques. For 
example, FIG. 28 shows a window 1 108 that displays a map 1110 of content 
displayed by a browser. The map 1 1 10 may include a logo (not shown) of the 
site offering the content. The different appearances of map regions indicate the 

15 certification status of content For example, red portions may indicate uncertified 
regions of a page, while white portions may indicate certified regions. The 
window enables a user to quickly identify potentially uncertified content. 

FIG. 33 shows a window 1 1 12 that displays a tree of web-page 
contents 1114-1 120. Each node in the tree can correspond to a different content 

20 (e.g., a node for a page's HTML and nodes for different GIF (Graphics 

Interchange Format) pictures referred to by the page). Again, different display 
attributes of tree nodes reflect the certification status of content For example, 
shaded node 1116 indicates that the picture for "Digests of Patent Opinions 
Federal Circuit" has not been certified. The map of FIG. 32 and the tree of FIG. 

25 33 can provide a user with a visual description of content certification, without 
altering the browser's display of the page or otherwise altering the browser's 
functions. 

Other techniques, however, use browser-provided functions to provide 
an indication of the certification status of content For example, as shown in FIG. 
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34, a browser may be dynamically programmed to display the certification status 
of content on a page as a user brushes the content with a cursor. For browsers not 
offering this capability, this feature may be offered by continuously determining 
cursor placement and displaying a window near the content. Alternatively, the 

5 window may only be displayed when a user selects content, for example, by 
clicking a mouse button on the content. 

As shown in FIG. 35, software can also directly alter the display of 
contents after determining the certification of different portions. For example, as 
shown, the software can black-out 1114 uncertified content, and/or alter the 

10 display of content 1 1 16 having expired certification. Depending on the browser, 
this may require writing a downloaded page to a temporary file, modifying the 
temporary file, and reloading the modified temporary file into the browser. 

Hie embodiments described above can also provide more detailed 
information about the certification of content. For example, by selecting the 

15 system taskbar button 1104 in FIGS. 30 or 31, a dialog, as shown in FIG. 36, can 
display detailed information about content. The detailed information can include 
the certifying entity 1 124, a graphic for the entity (e.g., a business trademark), the 
trustworthiness of the page or content 1 125, the URL (Universal Resource 
Locator) or URI (Universal Resource Indicator) of the content 1 127, the range of 

20 dates the certification is valid 1128, and a "digital fingerprint" of the content 
1 129. The dialog may also display other information (not shown) such as the site 
certificate of the web-site providing the page and potentially a text description of 
the "Trust Policy" used by the site to certify content (e.g., "Factpoint, Inc. uses a 
five person review board to certify content prior to posting"). 

25 Any of the visual techniques described above can be combined and/or 

used in conjunction with non-visual techniques such as audio messages (e.g., 
"The picture of Abe Lincoln is untrustworthy"). Additionally, while the above 
description described individual pages, the same techniques work equally well 
with framed browser displays that display two or more pages simultaneously. 
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Underlying the displays shown in FIGS. 30-36 are certification 
procedures that enable providers to certify posted content and validation 
procedures that enable users to validate the certification of received content 

5 The Trust Validator 

FIG. 37 shows a client 1136 browser 1140 downloading information 
(i.e., page 1 132) from a URL (Universal Resource Locator) 1 132 over a network 
1 144. The client 1 136 can present the downloaded content on a user's monitor 
1 142, speaker, etc. As shown, the client 1 136 includes "trust validator 1 ' software 

10 1 138 that validates certification of downloaded content. The validator 1138 may 
operate as a background process that monitors content received by the browser 
1 140, for example, via calls to or from the browser API (application 
programming interface). Alternatively, validator 1 138 functions may be directly 
integrated into the browser 1 140. 

15 The validator 1 138 can validate content certification using 

certification information associated with the content For example, the validator 
1 138 can compare certification information determined for the content 
determined prior to transmission to the client with certification information 
determined after transmission. 

20 In more detail, a certification process produces certification 

information 1 134 based on the certified contends). Typically, this information 
1 134 is produced using a "one-way" function. For example, a hashing function 
may use all or some portion of the ASCII characters in HTML (HyperText 
Markup Language) commands that define a page to produce a set of output bytes. 

25 Given the same input, the hashing function produces the same output. A popular 
hashing functions known as MD5 and SHA can produce relatively small output 
for large pages. 

The certification information 1 134 derived from the content may be 
included in the content itself, for example, as data, for example, as signature 
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and/or manifest elements of an XML (Extensible Markup Language) page or as 
an HTML "Meta" element. When the certification information 1 134 is included 
in the content, it must be removed before re-determining the certification 
information. 

5 Alternatively, the information 1134 may be included in the header of 

an HTTP (HyperText Transfer Protocol) message sent by the server 1 130. In yet 
another implementation, the trust validator 1 138 may independently request 
certification information 1 134 for the downloaded content. For example, the she 
may provide a file (e.g., "factpointtxt") at a predefined location (e.g., 
10 n www.url.com/factpoint.txt 11 ) that lists where certification information 1 134 for 
site content can be found. The file may refer to other sites when the content has 
been copied. 

FIG. 38 shows a process 1 138 the trust validator can use to validate 
certification of downloaded content First, the trust validator obtains 1 150 the 

15 downloaded content (e.g., a page or portion of a page) and the certification 

information associated with the content. The trust validator 1138 can obtain this 
information from the browser 1 140 or can establish an independent connection 
with the server 1 130. The trust validator 1138 can independently determine 
certification information using 1 152 the one-way function on the received 

20 content By comparing 154 the received certification information and the 
independently determined certification information, the validator 1138 can 
determine 1 154 whether the page 1 132 has been altered since certification and 
notify a user of such a change. The trust validator may also notify a web-site 
administrator if certification validation fails so the administrator can investigate 

25 uncertified content offered by the site. 

FIG. 39 shows a scheme that can not only detect tampering, but that 
can also identify and authenticate the entity or entities certifying content This 
scheme features certification information that includes a hash digitally signed by 
one or more certifying entities. A digital signature 1 160, much like a handwritten 
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signature on a piece of paper, provides a degree of certainty that a particular 
entity signed the content in question. 

One digital signature scheme uses a private encryption key known 
only to the signer and a public encryption key that may be freely distributed. 
5 Information encrypted with the private key can only be unencrypted with fee 
public key. Thus, an entity certifying content can encrypt a hash of the content 
with their private key. Only the public key associated with the entity can 
properly decrypt the hash. For example, a hash of content may be encrypted 
using a private key assigned to a web-site and decrypted using a public key 

10 included in the site's certificate. A wide variety of other digital signature 

schemes may be used such as an exchange of a single encryption key or the use 
of physical devices such as smart cards. 

In the system of FIG. 39, information needed to validate a digital 
signature may be included with the certification information. The information 

15 may include an X.509 certificate for each entity signing fee hash. For example, 
an X.509 certificate may include the public key needed to decrypt the hash of the 
page 1132, a description of fee entity holding the private key, and the digital 
signature of some authority such as VeriSign® testifying to the truth of the 
information in the certificate (i.e., that the entity claiming to have signed fee hash 

20 is actually fee claimed entity). In another embodiment, the information needed to 
validate a digital signature (or a reference to this information) may be provided 
by one or more DSig (Digital Signature Users Group) digital signature blocks. 

As shown in FIG. 40, after receiving fee certification information 
(e.g., digital signature and certificates), fee trust validator 1 138 can use fee public 

25 key included in the certificate to extract the hash included in the digital signature. 
The trust validator 1 138 can also follow fee chain of authority 1 162, for example, 
by asking VeriSign® if fee public key received is really fee public key of fee 
entity claiming to have signed fee hash. The trust validator can include 
information about fee chain of authority in a display such as fee dialog shown in 
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FIG. 36. After extracting the hash from the certification information, the trust 
validator 1 138 can conclude the page was altered or was never certified to begin 
with and can notify a user using the techniques described above. 

If the certification information includes a digitally signed hash, the 
5 certification information may be transmitted over an insecure connection. If, 
however, the certification information only includes a hash, a secure connection 
such a secure sockets layer (SSL) connection may be preferred. 

As shown in FIG. 41, instead of a single digital signature or hash, 
certification information may include a manifest 1 170 for content included in a 

10 page. The manifest 1 170 itself may be hashed and digitally signed. As shown in 
FIG. 42, the manifest 1 170 can include the hash values of different page 1 130 
content. For example, the manifest 1 170 shown includes a different hash value 
for each picture displayed on the page. The trust validator 1 138 can use this 
information to validate each portion of a page individually. The validator 1 138 

1 5 can also use criteria to produce an overall estimation of page certification. This 
criteria may be provided by rules included in the manifest 1 170 (e.g., defining 
valid content collections), logic hard-coded into the validator, and/or as logic 
provided by user-supplied code (e.g., a Java script). By default, the validator 
1 138 can describe the page as having the lowest certification status of any content 

20 in the page. For example, if any content on the page has expired, the page as a 
whole is deemed expired. The validator 1 138 may use similar logic for frames. 
That is, the overall certification status of a display is determined by the worst 
certification status of any content in any displayed frame. 

In some implementations, the trust validator 1 138 can alert a user to 

25 revocation, expiration, and other certification statuses of downloaded content 
FIG* 43 shows a server 1130 that includes a database table 1182 describing 
available content 1 132. The table 1 182 can include an expiration date for 
certification, a blanket revocation of certification, and other information. Upon 
receiving content, the trust validator 1 138 can transmit a validation request to 



-26- 



WO 00/46681 



PCT/US00/03489 



validation software 1180 on the server 1130. The validation software 1132 can 
access the table 1 1 82 to verify the content was certified and determine whether 
the content has expired or has been revoked. The validation software 1 132 can 
transmit the results back to die trust validator 1 138. 
5 Though information in the table 1 1 82 may be included in the 

certification information received by the client, the table 1 182 enables an 
administrator to centrally alter certification information. The server table 1 1 82 
can also be used to provide content "versioning". For example, a web-site may 
certify a more recent version of information for a URL. Validation software can 

10 look for valid versions of a URL when a client attempts to validate expired or 
revoked content 

FIG. 44 describes this validation process in greater detail. After 
receiving the content and its corresponding certification information 1200 and 
independently determining the certification 1204 for the content, the validator 

IS 1138 can preliminarily determine if the content is certified without accessing the 
server 1 130. For additional validation, the validator 1 138 can also transmit 1206 
certification information (e.g., the hash) to the server validation software for 
look-up in the server table 1 1 82. The server table 1 1 82 can not only verify that 
the content has not expired or been revoked, the server table 1 1 82 can also 

20 identify more recent content that replaces the content the user downloaded (e.g., 
the URL for the hash submitted has another table entry that has not been 
revoked). The trust validator can then establish a connection to download the 
valid version for display in the browser. 

FIG. 45 shows a secure architecture that distributes server certification 

25 and validation functions between a certification server 1218 and a validation 
server 1232. The certification server 1218 includes certification software 1220 
that certifies submitted content 1214. The certification server 1218 also adds 
table 1 182 entries as content is certified. 
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An administration tool 1216 can manage information stored in the 
table, for example, to specify an expiration date, delete certification, or revoke 
certification for content. 

The certification software 1220 may certify a single piece of content 
5 or a collection of web-pages using a certification "spider." Certification may be 
performed for fixed or dynamically constructed content After certification, the 
certification server can place certified content on the validation server for 
distribution. 

The validation server 1232 includes validation software 1228 that 
10 accesses the certification server 1220 table 1 182 in response to client validation 
requests. The validation server 1232 may maintain a cache of validation data to 
reduce the time spent serving client requests. 

Embodiments 

15 The techniques described here are not limited to any particular 

hardware or software configuration; they may find applicability in any computing 
or processing environment For example, functions described as being performed 
by a certification server can be distributed across different platforms. 

The techniques may be implemented in hardware or software, or a 

20 combination of the two. Preferably, the techniques are implemented in computer 
programs executing on programmable computers that each include a processor, a 
storage medium readable by the processor (including volatile and non-volatile 
memory and/or storage elements), at least one input device, and one or more 
output devices. Program code is applied to data entered using the input device to 

25 perform the functions described and to generate output information. The output 
information is applied to one or more output devices. 

Each program is preferably implemented in a high level procedural or 
object oriented programming language to communicate with a computer system. 
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however, the programs can be implemented in assembly or machine language, if 
desired. In any case, the language may be a compiled or interpreted language. 

Each such computer program is preferably stored on a storage 
medium or device (e.g., CD-ROM, hard disk or magnetic diskette) that is 

5 readable by a general or special purpose programmable computer for configuring 
and operating the computer when the storage medium or device is read by the 
computer to perform the procedures described in this document. The system may 
also be considered to be implemented as a computer-readable storage medium, 
configured with a computer program, where the storage medium so configured 

10 causes a computer to operate in a specific and predefined manner. 

Other embodiments are within the scope of the following claims. 
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What is claimed is: 

1 . A method of processing content, comprising: 

storing verification information corresponding to certified content at a 
first computer; 

receiving a verification request corresponding to content from a 
5 second computer; 

determining verification information for the content corresponding to 
the verification request; and 

comparing the determined verification information with the stored 
verification information. 

10 

2. The method of claim 1, further comprising, receiving content 
certification criteria, 

3. The method of claim 2, wherein certified content comprises 
1 5 content satisfying the content certification criteria, 

4. The method of claim 2, wherein content certification criteria 
comprises a list of required approval. 

20 5 . The method of claim 2, wherein content certification criteria 

comprises programmed logic. 

6. The method of claim 1, further comprising storing certification 
information. 

25 

7. The method of claim 6, wherein certification information 
comprises at least one of the following: a type of certification granted, entities 
approving certification, and when the content was certified. 

30 
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8. The method of claim 1, wherein verification information comprises 
information derived from the content. 

9. The method of claim 8, wherein information derived from the 
5 content comprises at least one hash key. 

10. The method of claim 1 , wherein the verification request includes 
a URL (Uniform Resource Locator). 

10 11. The method of claim 10, wherein determining verification 

information comprises collecting content from fee URL included in the . 
verification request. 

12. The method of claim 1, wherein the verification request includes 

15 content. 

13. The method of claim 12, wherein determining verification 
information comprises determining verification information for the content 
included in the verification request. 

20 

14. The method of claim 1, wherein the verification request includes 
verification information. 

15. The method of claim 14, wherein determining verification 
25 information comprises using the verification information included in the 

verification request. 
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16. Hie method of claim 1, wherein receiving a verification request 
comprises receiving a request caused by user interaction with a certification 
indicator. 

5 17. The method of claim 16, wherein the certification indicator is 

included in the content 

18. The method of claim 16, wherein the certification indicator 
comprises a graphic image having associated instructions that produce a 

10 verification request 

19. The method of claim 1, further comprising transmitting 
certification information to the second computer. 

1 5 20. The method of claim 1, wherein the content comprises at least one 

of the following: graphics, text, animation, sound, and instructions. 

21. Hie method of claim 1, wherein the content comprises a web- 
page. 

20 

22. The method of claim 1, wherein comparing comprises issuing 
verification requests to connected certification servers. 

23. A method, comprising: 

25 presenting an indication that content has received certification; 

receiving user input requesting verification that the content has 
received the certification indicated; 

transmitting a certification verification request to a certification 

server; and 
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receiving information describing whether the content has actually 
received the certification presented by the indication. 

24. The method of claim 23, wherein presenting an indication 
5 comprises presenting a user interface control. 

25. The method of claim 24, wherein receiving user input comprises 
receiving user input via the user interface control, 

10 26. The method of claim 23, further comprising displaying 

information included in the information received. 

27. The method of claim 23, wherein the information received 
comprises at least one of the following: content authorship, revision number, 

1 5 expiration date, and type of certification. 

28. The method of claim 23, wherein transmitting a certification 
verification request comprises transmitting verification information determined 
from the content. 

20 

29. The method of claim 28, wherein the verification information 
comprises a hash key. 

30. The method of claim 23, wherein transmitting a certification 
25 verification request comprises transmitting information included in the content. 

3 1 . The method of claim 23, wherein transmitting a certification 
verification request comprises transmitting a URL. 
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32. A method of controlling content distribution, comprising: 
receiving certification requirements for content to be distributed; 
identifying content to be distributed; and 

determining whether the identified content satisfies the received 
5 certification requirements. 

33. The method of claim 32, wherein identifying content comprises 
receiving a request for content 

10 34. The method of claim 32, wherein identifying content comprises 

collecting content from a set of locations. 

35. The method of claim 32, wherein the determining comprises 
identifying at least one digital signature associated with the content 

15 

36. The method of claim 32, wherein the determining comprises 
determining verification information for the content 

37. A method of processing content received from a networked 
20 computer in response to a browser request for content, the method comprising: 

receiving certification information associated with content received by 
the browser; 

determining a certification status for content based on the received 
certification information; and 
25 displaying at least one indication of the determined certification status 

of the content 

38. The method of claim 37, wherein the indication comprises a 
persistant indication displayed with the content. 
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39, The method of claim 37, wherein the indication comprises a 
taskbar button. 

5 40. The method of claim 37, wherein the indication comprises a tray 

icon. 

41 . The method of claim 37, wherein displaying at least one 
indication comprises processing the content to include one or 

1 0 more indications. 

42. The method of claim 41 , wherein processing the content 
comprises altering visual representation of the content. 
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